Dailydave mailing list archives
Palladium, Memory Forensics, Clouds.
From: Dave Aitel <dave () kof immunityinc com>
Date: Wed, 20 May 2009 20:29:43 -0400
A few things stand out from my thoughts here, as I pack up to return from Hong Kong. The first thing is that Microsoft's best hope for Windows is to make it the only platform you can trust with your identity. If you have "end to end trust" then your ISP can say "only machines signed to your identity are allowed on the Internet". They can sell you internet where only IE can access it. How cool is that? See, not cool at all. Consumers hate it and people don't trust Microsoft as a company, which is why the people excited about it are DRM focused or just evil in general. But having the whole stack be "trusted" with a global PKI system is something your bank wants so that it can lower fraud rates. Having every email you send and recieve encrypted and signed (obviously the default will be signed only, for political reasons) will eliminate spam as a matter of due course. There's just so many good things that come with "end to end trust". You could send an email from a trojaned box securely to someone else with a trojaned box. The title bar of your window would say "signed to Microsoft Outlook" and the hypervisor would encrypt the whole transaction from your keyboard presses to the pixel display in a process space no other process or kernel task can access. If this comes to pass, Windows is literally your wallet, and gets cemented in the ecosystem as the only thing that can hold your money and identity. It's a good play and it's still a primary focus for Microsoft - still their best hope for regaining prominance. It might even work. And of course, there was a lot of chatter at SyScan about cloud computing. The smart money is bearish on it. Google and the other cloud providers want to convince businesses that no matter how sensitive their data is, you can store it on a shared infrastructure. This is not even close to true. Shared infrastructures are the next generation of shared hosting providers - they're for students and open source projects. Not businesses and definately not governments. Eventually we'll see the cloud providers move towards offering private clouds with better security guarantees, which is when adoption will start really accellarating. It used to be banks were becoming IT companies, but now it's IT companies that are becoming banks, all asking us to trust them more than their competition. The other thing that keeps coming up is memory forensics. You can do a lot with it today to find trojan .sys's that hackers are using - but it has a low ceiling I think. Most rootkits "hide processes", or "hide sockets". But it's an insane thing to do in the kernel. If you're in the kernel, why do you need a process at all? For the GUI? What are we writing here, MFC trojans? There's not a ton of entropy in the kernel, but there's enough that the next generation of rootkits is going to be able to avoid memory forensics as a problem they even have to think about. The gradient here is against memory forensics tools - they have to do a ton of work to counteract every tiny thing a rootkit writer does. With exploits it's similar. Conducting memory forensics on userspace in order to find traces of CANVAS shellcode is a losing game in even the medium run. Anything thorough enough to catch shellcode is going to have too many false positives to be useful. Doesn't mean there isn't work to be done here, but it's not a game changer. Anyways, a fun SyScan. Next stop Miami! -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Palladium, Memory Forensics, Clouds. Dave Aitel (May 20)
- Re: Palladium, Memory Forensics, Clouds. Joanna Rutkowska (May 21)
- Re: Palladium, Memory Forensics, Clouds. Curt Wilson (May 21)
- Re: Palladium, Memory Forensics, Clouds. Dave Aitel (May 22)
- Re: Palladium, Memory Forensics, Clouds. Joanna Rutkowska (May 22)
- Re: Palladium, Memory Forensics, Clouds. Dave Aitel (May 22)
- Re: Palladium, Memory Forensics, Clouds. James Butler (May 25)
- Re: Palladium, Memory Forensics, Clouds. dave (May 27)
- Re: Palladium, Memory Forensics, Clouds. Matthieu Suiche (May 27)
- Re: Palladium, Memory Forensics, Clouds. Dominique Brezinski (May 27)
- Re: Palladium, Memory Forensics, Clouds. dave (May 27)